From 1dfe8b4e742c6de5acc7fcebabb80ab7f95f102a Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Fri, 11 Dec 2020 16:13:39 +0000 Subject: [PATCH 1/7] Add optional LoadBalancer service for HA mode --- templates/server-ha-active-service.yaml | 4 +-- templates/server-ha-lb.yaml | 44 ++++++++++++++++++++++++ templates/server-ha-standby-service.yaml | 4 +-- values.yaml | 15 ++++++-- 4 files changed, 58 insertions(+), 9 deletions(-) create mode 100644 templates/server-ha-lb.yaml diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index b6366b022..bc54fba51 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for active Vault pod apiVersion: v1 kind: Service @@ -38,4 +37,3 @@ spec: component: server vault-active: "true" {{- end }} -{{- end }} diff --git a/templates/server-ha-lb.yaml b/templates/server-ha-lb.yaml new file mode 100644 index 000000000..5263ac193 --- /dev/null +++ b/templates/server-ha-lb.yaml @@ -0,0 +1,44 @@ +{{ template "vault.mode" . }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ha.lb.enabled | toString) "true") }} +# LoadBalancer for active Vault pod +apiVersion: v1 +kind: LoadBalancer +metadata: + name: {{ template "vault.fullname" . }}-lb + namespace: {{ .Release.Namespace }} + labels: + helm.sh/chart: {{ include "vault.chart" . }} + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + annotations: +{{ template "vault.service.annotations" .}} +spec: + {{- if .Values.server.service.type}} + type: {{ .Values.server.service.type }} + {{- end}} + {{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} + {{- end }} + {{- if .Values.server.ha.local }} + externalTrafficPolicy: Local + {{- else }} + externalTrafficPolicy: Cluster + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ include "vault.scheme" . }} + port: {{ .Values.server.service.port }} + targetPort: {{ .Values.server.service.targetPort }} + {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + - name: https-internal + port: 8201 + targetPort: 8201 + selector: + app.kubernetes.io/name: {{ include "vault.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + component: server + vault-active: "true" +{{- end }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 473de5517..79829d3ba 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,5 @@ {{ template "vault.mode" . }} -{{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} +{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for standby Vault pod apiVersion: v1 kind: Service @@ -38,4 +37,3 @@ spec: component: server vault-active: "false" {{- end }} -{{- end }} diff --git a/values.yaml b/values.yaml index f95b995f7..fa8fd0a27 100644 --- a/values.yaml +++ b/values.yaml @@ -469,14 +469,23 @@ server: #} # Run Vault in "HA" mode. There are no storage requirements unless audit log - # persistence is required. In HA mode Vault will configure itself to use Consul - # for its storage backend. The default configuration provided will work the Consul - # Helm project by default. It is possible to manually configure Vault to use a + # persistence is required. In HA mode Vault will configure itself to use Consul + # for its storage backend. The default configuration provided will work with the Consul + # Helm project by default. It is possible to manually configure Vault to use a # different HA backend. ha: enabled: false replicas: 3 + # Create a LoadBalancer service type. This is the recommended ingress for + # cross-cluster replication, but it may be useful for other cases too. + lb: + enabled: false + # Set the externalTrafficPolicy to "Local". Local preserves the client source + # IP and avoids a second hop for LoadBalancer and Nodeport type services, but + # risks potentially imbalanced traffic spreading + #local: true + # Set the api_addr configuration for Vault HA # See https://www.vaultproject.io/docs/configuration#api_addr # If set to null, this will be set to the Pod IP Address From c29bcb8f9cc0efe1f52ffdece982285a469d0a83 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 14 Dec 2020 13:37:16 +0000 Subject: [PATCH 2/7] Updates --- templates/_helpers.tpl | 14 ++++++++++++++ templates/server-ha-active-service.yaml | 2 ++ templates/server-ha-lb.yaml | 17 ++++------------- templates/server-ha-standby-service.yaml | 2 ++ values.yaml | 17 +++++++++++++---- 5 files changed, 35 insertions(+), 17 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 978932460..5ebf6dba8 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -393,6 +393,20 @@ Sets extra vault server Service annotations {{- end }} {{- end -}} +{{/* +Sets extra vault server LoadBalancer annotations +*/}} +{{- define "vault.lb.annotations" -}} + {{- if .Values.server.ha.lb.annotations }} + {{- $tp := typeOf .Values.server.ha.lb.annotations }} + {{- if eq $tp "string" }} + {{- tpl .Values.server.ha.lb.annotations . | nindent 4 }} + {{- else }} + {{- toYaml .Values.server.ha.lb.annotations | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} + {{/* Sets PodSecurityPolicy annotations */}} diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index bc54fba51..74fca41d7 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,4 +1,5 @@ {{ template "vault.mode" . }} +{{- if ne .mode "external" }} {{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for active Vault pod apiVersion: v1 @@ -37,3 +38,4 @@ spec: component: server vault-active: "true" {{- end }} +{{- end }} diff --git a/templates/server-ha-lb.yaml b/templates/server-ha-lb.yaml index 5263ac193..6883136f2 100644 --- a/templates/server-ha-lb.yaml +++ b/templates/server-ha-lb.yaml @@ -12,20 +12,11 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} annotations: -{{ template "vault.service.annotations" .}} +{{ template "vault.lb.annotations" .}} spec: - {{- if .Values.server.service.type}} - type: {{ .Values.server.service.type }} - {{- end}} - {{- if .Values.server.service.clusterIP }} - clusterIP: {{ .Values.server.service.clusterIP }} - {{- end }} - {{- if .Values.server.ha.local }} - externalTrafficPolicy: Local - {{- else }} - externalTrafficPolicy: Cluster - {{- end }} - publishNotReadyAddresses: true + type: LoadBalancer + externalTrafficPolicy: {{ .Values.server.ha.lb.externalTrafficPolicy }} + publishNotReadyAddresses: {{ .Values.server.ha.lb.publishNotReadyAddresses }} ports: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index 79829d3ba..aba6c8add 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,4 +1,5 @@ {{ template "vault.mode" . }} +{{- if ne .mode "external" }} {{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} # Service for standby Vault pod apiVersion: v1 @@ -37,3 +38,4 @@ spec: component: server vault-active: "false" {{- end }} +{{- end }} diff --git a/values.yaml b/values.yaml index fa8fd0a27..ded9c6040 100644 --- a/values.yaml +++ b/values.yaml @@ -481,10 +481,19 @@ server: # cross-cluster replication, but it may be useful for other cases too. lb: enabled: false - # Set the externalTrafficPolicy to "Local". Local preserves the client source - # IP and avoids a second hop for LoadBalancer and Nodeport type services, but - # risks potentially imbalanced traffic spreading - #local: true + + # Local preserves the client source IP and avoids a second hop for + # LoadBalancer services, but risks potentially imbalanced traffic spreading. + externalTrafficPolicy: Local + + # publishNotReadyAddresses indicates that any agent which deals with endpoints + # for this Service should disregard any indications of ready/not-ready. + publishNotReadyAddresses: false + + # Extra annotations for the service definition. This can either be YAML or a + # YAML-formatted multi-line templated string map of the annotations to apply + # to the service. + annotations: {} # Set the api_addr configuration for Vault HA # See https://www.vaultproject.io/docs/configuration#api_addr From d5e6fb3381b7e29858a5259a9a3c6fda59048b5c Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 14 Dec 2020 15:22:41 +0000 Subject: [PATCH 3/7] Add unit tests --- test/unit/server-ha-lb.bats | 203 ++++++++++++++++++++++++++++++++++++ 1 file changed, 203 insertions(+) create mode 100644 test/unit/server-ha-lb.bats diff --git a/test/unit/server-ha-lb.bats b/test/unit/server-ha-lb.bats new file mode 100644 index 000000000..4271f4f27 --- /dev/null +++ b/test/unit/server-ha-lb.bats @@ -0,0 +1,203 @@ +#!/usr/bin/env bats + +load _helpers + +@test "server/ha-lb-Service: generic annotations" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'server.ha.lb.annotations=vaultIsAwesome: true' \ + . | tee /dev/stderr | + yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ha-lb-Service: disable with ha.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=false' \ + --set 'server.ha.lb.enabled=true' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ha-lb-Service: disable with ha.lb.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ha-lb-Service: disable with server.service.enabled false" { + cd `chart_dir` + local actual=$( (helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'server.service.enabled=false' \ + . || echo "---") | tee /dev/stderr | + yq 'length > 0' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ha-lb-Service: type LoadBalancer" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.type' | tee /dev/stderr) + [ "${actual}" = "LoadBalancer" ] +} + +@test "server/ha-lb-Service: clusterIP empty by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.clusterIP' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ha-lb-Service: externalTrafficPolicy Local and publishNotReadyAddresses false as defaults" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Local" ] + + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "false" ] +} + +@test "server/ha-lb-Service: externalTrafficPolicy can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'server.ha.lb.externalTrafficPolicy=Cluster' \ + . | tee /dev/stderr | + yq -r '.spec.externalTrafficPolicy' | tee /dev/stderr) + [ "${actual}" = "Cluster" ] +} + +@test "server/ha-lb-Service: publishNotReadyAddresses can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'server.ha.lb.publishNotReadyAddresses=true' \ + . | tee /dev/stderr | + yq -r '.spec.publishNotReadyAddresses' | tee /dev/stderr) + [ "${actual}" = "true" ] +} + +@test "server/ha-lb-Service: port and targetPort will be 8200 by default" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].port' | tee /dev/stderr) + [ "${actual}" = "8200" ] + + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "8200" ] +} + +@test "server/ha-lb-Service: port and targetPort can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'server.service.port=8000' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].port' | tee /dev/stderr) + [ "${actual}" = "8000" ] + + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'server.service.targetPort=80' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "80" ] +} + +@test "server/ha-lb-Service: nodeport can be set" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'server.service.type=NodePort' \ + --set 'server.service.nodePort=30009' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "30009" ] +} + +@test "server/ha-lb-Service: nodeport can't set when type isn't NodePort" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'server.service.nodePort=30009' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) + [ "${actual}" = "null" ] +} + +@test "server/ha-lb-Service: vault port name is http, when tlsDisable is true" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'global.tlsDisable=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "http" ] +} + +@test "server/ha-lb-Service: vault port name is https, when tlsDisable is false" { + cd `chart_dir` + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'global.tlsDisable=false' \ + . | tee /dev/stderr | + yq -r '.spec.ports | map(select(.port==8200)) | .[] .name' | tee /dev/stderr) + [ "${actual}" = "https" ] +} From 7a2692e568fc477c5b2bce327234a57094688dec Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 14 Dec 2020 15:39:29 +0000 Subject: [PATCH 4/7] Undo logic tidy changes --- templates/server-ha-active-service.yaml | 2 +- templates/server-ha-standby-service.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml index 74fca41d7..b6366b022 100644 --- a/templates/server-ha-active-service.yaml +++ b/templates/server-ha-active-service.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} # Service for active Vault pod apiVersion: v1 kind: Service diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml index aba6c8add..473de5517 100644 --- a/templates/server-ha-standby-service.yaml +++ b/templates/server-ha-standby-service.yaml @@ -1,6 +1,6 @@ {{ template "vault.mode" . }} {{- if ne .mode "external" }} -{{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }} +{{- if and (eq .mode "ha" ) (and (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true")) }} # Service for standby Vault pod apiVersion: v1 kind: Service From 3e4496adb7f34bf90889622d29d9e23a5d6f0675 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 14 Dec 2020 15:43:22 +0000 Subject: [PATCH 5/7] Remove nodePort and add rep port --- templates/server-ha-lb.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/server-ha-lb.yaml b/templates/server-ha-lb.yaml index 6883136f2..344e0e54c 100644 --- a/templates/server-ha-lb.yaml +++ b/templates/server-ha-lb.yaml @@ -21,12 +21,12 @@ spec: - name: {{ include "vault.scheme" . }} port: {{ .Values.server.service.port }} targetPort: {{ .Values.server.service.targetPort }} - {{- if and (.Values.server.service.nodePort) (eq (.Values.server.service.type | toString) "NodePort") }} - nodePort: {{ .Values.server.service.nodePort }} - {{- end }} - name: https-internal port: 8201 targetPort: 8201 + - name: {{ include "vault.scheme" . }}-rep + port: 8202 + targetPort: 8202 selector: app.kubernetes.io/name: {{ include "vault.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} From 48f34c096c8a675b80d9f5b627c10c0dee03b70f Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 14 Dec 2020 15:52:32 +0000 Subject: [PATCH 6/7] Fix/add tests --- test/unit/server-ha-lb.bats | 60 +++++++++++++++++++++++++++---------- 1 file changed, 44 insertions(+), 16 deletions(-) diff --git a/test/unit/server-ha-lb.bats b/test/unit/server-ha-lb.bats index 4271f4f27..2674f5aee 100644 --- a/test/unit/server-ha-lb.bats +++ b/test/unit/server-ha-lb.bats @@ -132,50 +132,78 @@ load _helpers [ "${actual}" = "8200" ] } -@test "server/ha-lb-Service: port and targetPort can be set" { +@test "server/ha-lb-Service: https-internal port and targetPort will be 8201" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-lb.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.lb.enabled=true' \ - --set 'server.service.port=8000' \ . | tee /dev/stderr | - yq -r '.spec.ports[0].port' | tee /dev/stderr) - [ "${actual}" = "8000" ] + yq -r '.spec.ports[1].name' | tee /dev/stderr) + [ "${actual}" = "https-internal" ] + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[1].port' | tee /dev/stderr) + [ "${actual}" = "8201" ] local actual=$(helm template \ --show-only templates/server-ha-lb.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.lb.enabled=true' \ - --set 'server.service.targetPort=80' \ . | tee /dev/stderr | - yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) - [ "${actual}" = "80" ] + yq -r '.spec.ports[1].targetPort' | tee /dev/stderr) + [ "${actual}" = "8201" ] } -@test "server/ha-lb-Service: nodeport can be set" { +@test "server/ha-lb-Service: https-rep port and targetPort will be 8202" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-lb.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.lb.enabled=true' \ - --set 'server.service.type=NodePort' \ - --set 'server.service.nodePort=30009' \ + --set 'global.tlsDisable=false' \ + . | tee /dev/stderr | + yq -r '.spec.ports[2].name' | tee /dev/stderr) + [ "${actual}" = "https-rep" ] + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + . | tee /dev/stderr | + yq -r '.spec.ports[2].port' | tee /dev/stderr) + [ "${actual}" = "8202" ] + + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ . | tee /dev/stderr | - yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) - [ "${actual}" = "30009" ] + yq -r '.spec.ports[2].targetPort' | tee /dev/stderr) + [ "${actual}" = "8202" ] } -@test "server/ha-lb-Service: nodeport can't set when type isn't NodePort" { +@test "server/ha-lb-Service: port and targetPort can be set" { cd `chart_dir` local actual=$(helm template \ --show-only templates/server-ha-lb.yaml \ --set 'server.ha.enabled=true' \ --set 'server.ha.lb.enabled=true' \ - --set 'server.service.nodePort=30009' \ + --set 'server.service.port=8000' \ . | tee /dev/stderr | - yq -r '.spec.ports[0].nodePort' | tee /dev/stderr) - [ "${actual}" = "null" ] + yq -r '.spec.ports[0].port' | tee /dev/stderr) + [ "${actual}" = "8000" ] + + local actual=$(helm template \ + --show-only templates/server-ha-lb.yaml \ + --set 'server.ha.enabled=true' \ + --set 'server.ha.lb.enabled=true' \ + --set 'server.service.targetPort=80' \ + . | tee /dev/stderr | + yq -r '.spec.ports[0].targetPort' | tee /dev/stderr) + [ "${actual}" = "80" ] } @test "server/ha-lb-Service: vault port name is http, when tlsDisable is true" { From 5d72b9f65d9315388684dffa070364b14003684d Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Mon, 14 Dec 2020 16:36:36 +0000 Subject: [PATCH 7/7] kind: Service --- templates/server-ha-lb.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/server-ha-lb.yaml b/templates/server-ha-lb.yaml index 344e0e54c..e523be470 100644 --- a/templates/server-ha-lb.yaml +++ b/templates/server-ha-lb.yaml @@ -2,7 +2,7 @@ {{- if and (eq .mode "ha" ) (eq (.Values.server.service.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") (eq (.Values.server.ha.lb.enabled | toString) "true") }} # LoadBalancer for active Vault pod apiVersion: v1 -kind: LoadBalancer +kind: Service metadata: name: {{ template "vault.fullname" . }}-lb namespace: {{ .Release.Namespace }}